Thursday's disclosure that hackers breached a HealthCare.gov test server this summer sparked more concern about the overall vulnerability of healthcare organizations and hope that the growing number of publicly disclosed hacks will encourage those organizations to expend more resources on securing data, networks, and systems.
A hacker installed malicious code on a device that had kept its default manufacturer's password. As a test server, it was not supposed to be hooked to the Internet, said Patrick Peterson, founder and CEO of security developer Agari in an interview. Either keeping the server unconnected or using tools that automatically change pre-set passwords would have prevented this vulnerability, he said. Because it shared the breach, HealthCare.gov should be lauded for its transparency, said Peterson.
This type of error is easily preventable, but is the kind of mistake that can occur at most organizations without proper training and IT management, said Ashley Leonard, president and CEO of Verismic Software:
I am sure it is unnerving for the public when our government's own systems get compromised by hacking. This, on top of the recent celebrity hacking, creates a distrust in cloud. However, if you look more closely at what has actually happened, systems are being penetrated by a combination of bad IT management and poor end-user training. I believe IT managers and software vendors need a better way to share information on vulnerabilities and how to patch them. The second concern is passwords; though passwords are set to protect our most sensitive data, we have a real issue today of using technology much older than most of us. At the very least we should be moving to pass phrases, two-factor authentication, or biometrics to protect our data.
Although federal officials were quick to reassure the public that no personal, financial, or health data was stolen, a chorus of dissent arose immediately given the amount of information HealthCare.gov houses and the number of alarms raised about the site's security weaknesses.
[Is your organization losing money on outdated storage techniques? Read Healthcare Storage Makeovers: Execs Share Secrets.]
"IT experts have long warned about the lack of security built into the federal Obamacare website," said Congressman Diane Black (R-Tenn.), in a statement. "The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers. That is why designing a secure website should have been a top priority for this Administration."
While politicians battle it out in Washington, D.C., CIOs and chief security officers might find it easier to wrest security funds from reluctant boards and CEOs. That can't happen soon enough, based on the industry's ongoing poor performance when compared with other sectors.
Last year, there were 276 breaches in healthcare, the largest number from five verticals that the Identity Theft Resource Center reviewed, said John Pescatore, director of Emerging Security Trends at SANS. "Driven both by attempts to reduce cost and rushing to meet deadlines to meet federal requirements, the healthcare industry has failed to sufficiently build security into their systems -- the healthcare exchange websites are just one example," he said. "Security has been seen as increasing cost and slowing down schedule. CISOs' recommendations have been ignored, or postponed in attempts to "sprinkle security on," post deployment. This has largely been the case over the past several years, leading to this growing trend of breaches in healthcare systems."
In light of recent hacking attacks at HealthCare.gov, JP Morgan & Chase, Home Depot, and Community Health Systems, business leaders are more aware of risks -- and the impact that breaches could have on their organizations, many security executives agreed. To date, many have spent more on electronic medical records (EMRs) and meeting Meaningful Use mandates than on security, but that must change, they noted.
"Healthcare needs to re-evaluate the resources they've allocated to EMR security. The last few years have seen most hospital systems deploy significant technology for EMRs, consumer technology to support clinical staff, patient portals, and much more," Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, said via email. "In fact, for large hospital systems, an EMR project can be on par with HealthCare.gov in terms of cost, resources, and project scope and scale. They will need to look at whether they have done at least as well as [the Department of Health and Human Services] on security, if not better."
This latest incident at HealthCare.gov could give IT executives more ammunition in their quest for better funding and resources.
"It is too early to tell specifically about HealthCare.gov, but when seen as part of the overall trend, this is without a doubt raising awareness and forcing a reordering of priorities and budgets," Gilad Parann-Nissany, CEO and co-founder of cloud developer Porticor, told InformationWeek.
Added Todd Feinman, CEO of Identity Finder: "CIOs should be using this as justification for much higher budgets to manage sensitive information and prevent data breaches proactively. Their job is at risk and this is a difficult problem to solve. They can now point to real evidence, instead of fear/uncertainty/doubt, that shows there is a need within their organization. We are seeing an increase in spend around sensitive data management due to the recent wave of data breaches."
The goal, however, is not perfection. No technology, no team or individual can assure total security, cautioned Agari's Peterson. Rather, CSOs and CIOs must improve healthcare security, reduce risk, and work together, just as financial institutions do, he said.
Many healthcare organizations already have implemented many standards and tight security capabilities, said Wes Wright, senior vice president and CIO of Seattle Children's, via email. "Most good healthcare organizations have been concentrating on security since the beginning of HIPAA back in the early 2000s and then with the HITECH act. I think the HIT community is running as hard as they can to catch up, keep up with security," he said. "We may see more emphasis and interest, from the CEO and board levels, on an organization's security posture [although] not necessarily more activity, since I think we've actually reached a human resource-limited pace."
Consumers might not yet be as quick to switch doctors as they are to switch retailers (think Wal-Mart instead of Target), but that day could come if healthcare providers are complacent about security, executives warned. Patients also are becoming more critical of how and to whom they hand over their data, said Feinman.
Ultimately consumers will vote with their pocketbooks, even in healthcare, said Peterson. "At the end of the day, if you cross the consumer enough, you will not win the marketplace," he said.
Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio